Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. However, the company did not update the mobile version of Safari to remove the certificates in iOS.
While Microsoft, Mozilla and Google had been communicating with users about the issue and pushing out new versions and updates to eliminate the compromised certificate authorities from their browsers, Apple had been mum about the attack and hadn’t given any indication of when it might issue an update for Safari. On Friday the company published a security advisory for Mac OS X users, saying that it was removing DigiNotar’s certificates from its trust list.
“Fraudulent certificates were issued by multiple certificate authorities
operated by DigiNotar. This issue is addressed by removing DigiNotar
from the list of trusted root certificates, from the list of Extended
Validation (EV) certificate authorities, and by configuring default
system trust settings so that DigiNotar’s certificates, including those
issued by other authorities, are not trusted,” the advisory said.
Apple is the last of the major browser vendors to make the move to revoke trust in DigiNotar’s root certificates from its software. The update applies to Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, and Lion Server v10.7.1.
It’s unclear whether there’s a new version of iOS in the works to remove the certificates from iPhones, iPads and iPod Touches, as well.